Tech Tip: Will Metasploit improve security or help hackers?

To the average user, one of the great
mysteries of computing is how hackers and security researchers
discover vulnerabilities in applications. But there really is no
magic involved with finding vulnerabilities; it just takes a lot of
experience and knowledge.

While programmers with limited skills sometimes
manage to find vulnerabilities in application source code, it
generally requires a lot more experience to audit source code for
vulnerabilities. And that's not even taking into consideration the
skill and experience that's necessary to identify vulnerabilities
in compiled code.

Compiled applications are basically streams of
binary data. It takes a great deal of understanding of the inner
workings of microprocessors to find vulnerabilities. This requires
the knowledge of assembly language, a very specialized programming
skill—one possessed by a minority of programmers.

Of course, it certainly seems beneficial for
all computer users to expand their knowledge. And earlier this
month, the Metasploit Project released a tool that it hopes will
help users better develop this understanding. But as I read more
about Metasploit Framework 2.0, a collection of tools for
developing and testing exploit code, I can't help but remember the
old adage that warns a little knowledge can be a dangerous
thing.

Although released as a research tool,
Metasploit will certainly find use within the hacker community.
Like other virus and worm "toolkits" circulating freely, Metasploit
allows people with limited abilities to leverage the skills of
others to create hostile code to exploit vulnerabilities in
applications and operating systems, including all major Windows
versions.

Will Metasploit lead to a rash of new worms and
viruses? Many industry analysts are asking this question. Exploits
generally appear shortly after public disclosure of a
vulnerability. This isn't surprising—the majority of people who
exploit vulnerabilities are simply making use of public
information. Any tool specifically designed to create exploits may
encourage people who do not otherwise possess the skill or impetus
to begin creating exploits.

There's no doubt that Metasploit makes it
almost trivial to create hostile code. For security researchers and
administrators, it's undoubtedly a great way to proactively detect
flaws in their applications and learn how to better defend networks
against attacks.

But for those who write malicious code, it's
just another way to cause problems. Remember that antivirus
companies can only provide protection for exploits they can
identify and provide signatures for. If hackers released a large
number of viruses and worms simultaneously, the vast majority of
Internet users and antivirus companies would have no time to
react.

On the other hand, before passing judgment on
the authors of this tool, consider that Metasploit could perhaps do
the entire computing world a service. Vulnerabilities in software
are the consequence of poor programming practices. But root problem
isn't that exploits for vulnerabilities exist—it's that the vulnerabilities exist in the
first place.

Perhaps tools such as Metasploit might cause
programmers to spend a little more time reviewing their code to
look for unchecked data input areas. And it might convince
programmers to learn more about the internal workings of
microprocessors and better understand the consequences of buffer
overflows.

When it comes down to it, hackers already have
this understanding. But tools such as Metasploit, while presenting
the potential for abuse, also have the potential to teach—and
empower the good guys with the knowledge the hackers already
have.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.